Fake Flash update leads to NetSupport RAT
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2018-02-27-Fake-Flash-NetSupport-RAT-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- plastibond.com – COMPROMISED SITE
- 23.152.0.118 – track.amishbrand.com – WILL NOT INFECT IF DOMAIN IS BLOCKED
- 84.200.17.21 – scene.timbervalleyfarm.com – DOMAIN HOSTING FAKE FLASH
- DROPBOX – JAVASCRIPT TO DOWNLOAD NETSUPPORT MANAGER RAT
- 185.243.112.38 – pn.dr906090.com POST /index.aspx – POST INFECT TRAFFIC
- SCREENCAST GET /users/seg.net90/folders/serg_90_09022018/media/339d4871-0ad4-41bf-86ab-17fb5364e24e/desktop.ini.lnk?downloadOnly=true – DOMAIN HOSTING NETSUPPORT MANAGER RAT INSTALLER
- 179.43.186.90 – POST http://179.43.186.90/fakeurl.htm – NETSUPPORT MANAGER RAT C2
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: DNS traffic associated with Fake Flash Player update and NetSupport Manager RAT
Shown above: Script for domain hosting fake flash content
Shown above: Fake Flash Player pop-up which leads to NetSupport Manager RAT
Shown above: Fake Chrome update when visiting compromised site using Chrome browser
Shown above: NetSupport RAT installer hosted on screencast
MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH UPDATE:
- update.js – JavaScript to download NetSupport Manager RAT
VirusTotal Link - z7a.exe – NetSupport Manager RAT Installer
VirusTotal Link - client32.exe – NetSupport Manager Client
C:\Users\USERNAME\AppData\Roaming\ManifestStore
VirusTotal Link